DATA PROTECTION LAW, 2017 –IN FORCE NOW

The Cayman Islands’ Data Protection Law, 2017 (DPL) came into force on 30 September 2019. Cayman entities that have not already done so should take immediate steps to ensure they understand their obligations under the new law.

Policies and procedures should be put in place to ensure the proper protection of all personal data under the Cayman entity’s control and to create an effective governance regime for approving, overseeing, implementing and reviewing those policies. With reputations and criminal liability at stake, Cayman entities need to get it right.

Data Controllers

Personal data is defined widely under the law to include any data relating to a living individual which allows that individual to be identified. Under the DPL, personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing should only be undertaken if fresh consent is obtained or there is another legal ground authorising that processing.

Data controllers (those entities or individuals who alone or jointly with others determine the purposes, conditions and manner in which any personal data are, or are to be, processed) are required to set out the purposes for which personal data is being collected and details of whom that data may be shared with.

Third Party Service Providers

In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to third parties. There is no substitute for proper due diligence on the systems, policies and procedures of those providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls would also be advisable.

Contractual provisions should be put in place between the Cayman entity (as the data controller) and the third party service provider (as data processor) to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that loss containment and recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the Cayman entity, as applicable.

Achieving compliance

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Cayman entities will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

Implementing a data protection compliance programme involves engaging with the right stakeholders and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is not mandatory under the DPL but is also recommended.

Breaches of the DPL could result in fines of up to Cl$100,000 (US$122,000) per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 (US$305,000) are also possible under the law. The Office of the Ombudsman, which has responsibility for enforcing the new law, has issued a Guide for Data Controllers to assist with the implementation process.

Protecting personal data is now business critical for Cayman entities. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a business following a breach could be devastating. Appleby would be pleased to assist any persons seeking advice on complying with the requirements of DPL. Please contact a member of our Regulatory Team or your usual Appleby contact.

Impact on the investment funds industry

The average investment fund potentially generates and retains a large amount of personal data. Fund managers may also hold proprietary research and investment strategies, proprietary and personal information about markets, companies and individuals, high value email and contact lists and net worth information for individuals.

While it is very unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, the fund must set out the purposes for which personal data is being collected and details of whom that data may be shared with.

Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided with the offering memorandum and subscription documents.

Directors and Officers of Cayman Companies and LLCs Now Public

The Companies (Amendment) Law, 2019 has introduced a new section 55A that requires the Registrar of Companies to make a list of the names of the directors and alternate directors (if any) of a company available for inspection by any person, with Schedule 5 (Fees) now including a fee of $50 payable for each inspection of that list. Equivalent requirements apply in respect of managers of an LLC. Inspection of the list of directors/managers will be facilitated at a kiosk at the Office of the Registrar. The lists will not be accessible online. These requirements came into force on 1 October 2019.

Key Contacts

Peter Colegate

Partner, Joint Global Head of Technology & Innovation : Cayman Islands

T +1 345 814 2745
E Email Peter

Share
Twitter LinkedIn Email Save as PDF
More Publications
13 May 2021 |

The 2021 Cayman Islands Real Estate Guide

The Real Estate 2021 guide provides the latest legal information on the impact of disruptive technol...

Contributors: Norman Klein
13 May 2021 |

British Virgin Islands: Mergers & Acquisitions Comparative Guide

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulati...

Contributors: Brittany Cummings
13 May 2021 |

Cayman Islands: Mergers & Acquisitions Comparative Guide

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulati...

Contributors: Dean Bennett, Vance Power
15 Apr 2021 |

6 months on: Temporary relocation and residency by investment continues to increase in popularity

Six months on from the new digital nomad programmes, did the predicted upward trend reflect the real...

25 Mar 2021 |

Full Steam Ahead at the Jersey Ships Registry

Against a backdrop of uncertainty surrounding Brexit and the difficulties created by the global pand...

24 Mar 2021 |

Economic Substance update Q1 2021

Economic Substance update Q1 2021

12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...

2 Feb 2021 |

Cayman – Full steam ahead for leading funds domicile

In this article, leading offshore legal service firm Appleby, discusses some of the key regulatory c...